diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index a7b955e890..33eaec7046 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -16,10 +16,10 @@ jobs:
     uses: gardener/cc-utils/.github/workflows/prepare.yaml@master
     with:
       mode: ${{ inputs.mode }}
-      version-commit-callback-action-path:
       post-process: callback
     permissions:
-      contents: read
+      id-token: write
+      pull-requests: write # required until https://github.com/gardener/cc-utils/pull/1529 is merged
 
   oci-images:
     name: Build OCI-Images
diff --git a/.github/workflows/non-release.yaml b/.github/workflows/non-release.yaml
index 44c4a3c7e2..f5435f0c4f 100644
--- a/.github/workflows/non-release.yaml
+++ b/.github/workflows/non-release.yaml
@@ -19,7 +19,7 @@ jobs:
       mode: snapshot
     secrets: inherit
     permissions:
-      contents: write
+      contents: read
       packages: write
       id-token: write
       pull-requests: write
@@ -29,7 +29,6 @@ jobs:
     uses: gardener/cc-utils/.github/workflows/post-build.yaml@master
     needs:
       - build
-    secrets: inherit
     permissions:
       id-token: write
       contents: write
diff --git a/.github/workflows/pullrequest-trust-helper.yaml.yml b/.github/workflows/pullrequest-trust-helper.yaml.yml
index a2a907eee8..a0b0b73c91 100644
--- a/.github/workflows/pullrequest-trust-helper.yaml.yml
+++ b/.github/workflows/pullrequest-trust-helper.yaml.yml
@@ -9,8 +9,7 @@ on:
 jobs:
   pullrequest-trusted-helper:
     permissions:
-      pull-requests: write
-    secrets: inherit # access to `GitHub-Actions`-App is needed to read teams
+      id-token: write
     uses: gardener/cc-utils/.github/workflows/pullrequest-trust-helper.yaml@master
     with:
       trusted-teams: 'test-infra-maintainers'
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 3759b9d5ad..c0dbe69aa8 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -12,8 +12,9 @@ on:
 jobs:
   build:
     uses: ./.github/workflows/build.yaml
+    secrets: inherit
     permissions:
-      contents: write
+      contents: read
       id-token: write
       packages: write
       pull-requests: write # required to remove labels
@@ -24,7 +25,6 @@ jobs:
     uses: gardener/cc-utils/.github/workflows/release.yaml@master
     needs:
       - build
-    secrets: inherit
     permissions:
       contents: write
       id-token: write
@@ -32,5 +32,3 @@ jobs:
     with:
       release-commit-target: branch
       next-version: ${{ inputs.next-version }}
-      next-version-callback-action-path:
-      slack-channel-id: